Scopes and objectives of this Notice
Krungthai Card Public Company Limited (the “Company”) realizes the importance of personal data protection of data subjects according to the Personal Data Protection Act, B.E. 2562 and the Company’s Personal Data Protection Policy. The Company has provided this Notice, which covers customer groups as stated in the definitions, in order to inform about how the Company collects, uses, and discloses the customers’ personal data in relevant to any services provided by the Company on financial products. Please read this Notice to acknowledge and understand the Company’s objectives in collecting, using, and disclosing the customers’ personal data.
refers to any data relating to the data subject that can be used to directly or indirectly identify the data subject excluding the data of deceased persons, data of juristic persons, or data that has been anonymized to be unable to identify the data subject.
refers to refers to:
Sensitive personal data
refers to refers to any personal data pertaining to ethnic, racial origins, political opinions, beliefs in doctrines, religions, or philosophies, sexual behaviors, criminal records, or any other data which affects the data subjects in the same way as notified by the Personal Data Protection Committee. The Company shall collect, use, and/or disclose sensitive personal data after the Company has received your explicit consent or in the case of necessity to the extent permitted by laws. The Company may collect, use, and/or disclose biometric personal data for examples, facial recognition data, fingerprint recognition data, retina recognition data, voice recognition data, in order to verify and identify the identity of the service users applying and/or performing any transactions through any channels.
Processing of personal data
refers to any Company’s processing on personal data of the data subjects including collecting, using, disclosing, and deleting of personal data.
refers to any of the Company’s financial products such as KTC credit cards, KTC PROUD cash cards, KTC P BERM vehicle title loans and KTC Merchant such as EDC services, KTC Gateway services, etc.
Channels for obtaining personal data for personal data collection
The Company may collect customers’ personal data via the following channels:
2.1 Personal data
that the customers provide directly to the Company or is obtained by the Company whether from the usage of financial products and/or services, correspondences, activity participations through the Company’s service and/or communication channels such as KTC Touch, website, application, freelance financial advisors, the Company’s online social media, e-mails, marketing promotion activities, member service centers, SMSs, telephone calls, questionnaires, meetings, seminars, events, name cards, etc.
2.2 Personal data
that the Company obtains or accesses from other sources such as the companies in financial business groups, merchants accepting cards, other banks or financial institutions, business alliances, companies issuing products with the Company, online platforms of third parties, National Credit Bureau, public data sources, persons having legal authority or legal rights, persons or organizations that the Company has legal relations with, etc.
Customers’ personal data that the Company may collect, use, or disclose
To enable the customers to use the services and/or perform the transactions related to financial products as well as to contact, request for information or receive any services from the Company, the Company has to process the customers’ personal data. The aforementioned personal data includes:
3.1 Personal data such as:
- personal data indicated in the applications, identification documents, supporting documents for the applications, as well as any additional data may be provided further by the customers, such as names, surnames, addresses, telephone numbers, copies of national identification cards, copies of passports, email addresses, etc.
- any transaction data, credit data, credit/debit card numbers, salary certificates, credit limits, data or documents stating the ownership of collateral, debt payment records
- technical data, tool or equipment such as username or user account for electronic or online social media communication, application usage data, computer IP Address or Mac Address, cookies, system login data, location data, computer traffic data according to Computer-Related Crimes Act, or other data from usage of the website, or application, or operating system.
- other data such as complaints, requests for services or privileges, records of communication or correspondence between the customers and the Company, voice recording clips, registration data to participate in any activities, photos, videos, CCTV footages, records of building/venue entrance and exit, court orders, or government gazettes, or government authority’s orders related to the Company’s compliance with the laws such as orders for submission of documentary evidence or physical evidence, receivership orders, etc.
Sensitive personal data:
The Company may have to use any sensitive personal data in order to provide services by mean of using techniques or technologies relating to the usage of physical or behavioral uniqueness to identify and differentiate the person from others or the Company may process sensitive personal data for providing services.
The Company may process personal data, which enables the identification of customers, in the form of document and/or pictures and/or electronic form and/or any other forms.
4. Why the Company has to collect, use, or disclose the customers’ personal data?
The Company collects, uses, or discloses the customers’ personal data for the Company’s objectives of providing financial services. Furthermore, the Company may transfer your personal data to third parties or other organizations to process on behalf of the Company as the “personal data processor”. The Company shall process the customers’ personal data based on reason(s) (basis for data processing), which may consist of one or more of the following reasons:
4.1 Because the Company has to perform its duties according to the contracts – processing on contractual basis
To enable the customers to use the Company’s financial products pursuant to the contracts between the Company and the customers as the contractual parties, or according to the customers’ requests, prior or during the usage of the Company’s financial products such as:
(1) Applications to use financial products, analysis, reviews and notifications of approvals, information services, amendments of personal/accounting data, services related to customer relations, process to improve services/products, benefits provisions, loan delivery/transfer, payment acceptance, receipt issuance, notification for debt payment or product renewal.
(2) Any procedures in order to provide services prescribed in the contract such as receipt of complaints, debt collections, debt compositions, risk management.
(3) The Company shall process such data by itself and/or process by cooperating with third parties such as debt collections, provision of sales promotions, or EDC installations, etc.
Because the Company has to perform according to the Company’s legitimate interests – processing on legitimate interest basis
The Company may process customers’ personal data for management, assessment and provision of the Company’s internal reports, system maintenance to maintain and develop service standards, as well as the Company’s risk management and usual operations within the Company, which are considered legitimate interests, such as:
(1) Voice recordings via member service centers to improve the service qualities, or to assure the correction of services, etc. as well as exchanging identification cards before entering into the office or CCTV footage recordings.
(2) Maintaining customer relations or requesting for no contact from the Company, such as complaints handling, evaluating service satisfactory, notifying or offering same types of financial products that the customers have which is beneficial to the customers.
(3) Managing the organizational risks, auditing, managing within the organization, as well as delivering to the companies in the same business to perform such task.
(4) Controlling, preventing, mitigating, or transferring risks that may be caused by frauds, cyber threats, defaults or breaches of contracts, any illegal acts (such as anti-money laundering, combating the financing of terrorism and controlling weapons of mass destruction, offences against property, life, body, freedom or reputation, etc.), which includes personal data sharing to develop the standard of operations for companies in financial industry in controlling, preventing, mitigating, or transferring such risks.
(5) Collecting, using, and/or disclosing personal data of directors, authorized representatives, agents as well as coordinators of juristic customers.
(6) Contacting, recording videos and voices from meetings, seminars, recreational activities, or exhibition booths.
(7) Collecting, using, and/or disclosing personal data of persons whom the court appoints receivership orders.
4.3 Because the Company has to comply with the laws – processing on legal obligation basis
The Company may process customers’ personal data in order to comply with laws of the authorities governing the Company’s course of business such as Bank of Thailand, Office of the Consumer Protection Board, Fiscal Policy Office, Office of the National Anti-Corruption Commission, Personal Data Protection Committee Office, etc. as well as laws governing transactions in capital market such as Cyber Security Maintenance Act, B.E. 2562, Money Laundering Control Act, B.E. 2542, Debt Collection Act, B.E. 2558, other laws in which the Company must comply with in delivering data both in Thailand and foreign countries, as well as announcements and regulations under such laws such as the Civil Procedure Code which gives power to the court to order the parties to deliver documents or data to be used in trials, etc.
4.4 Because the Company has received consents from the customers – processing on consent basis
TThe Company shall request for the customers’ consents in processing customers’ personal data as well as biometric data and disability data for purposes of marketing, sales promotions, or benefit offerings, product offerings, or any services, or for purposes of statistics, studies, analysis, researches, data processing, identification for transactions, or for any lawful purposes.
The customers’ personal data processing shall comply with the aforementioned purposes. In some case, the Company may consider to process the customers’ personal data for other purposes which are relevant to and not contradictory to or beyond the original purposes. However, in the case that the Company has to process the data for other purposes, which are irrelevant to the original purposes, the Company shall request for new consents to process the data for such new purposes.
In the case that the customers wish to withdraw consents for such data processing, customers can contact the Company and submit their request according to clause 11. In this regard, the withdrawals of consent may affect customers in using financial products and/or services such as not receiving notifications on benefits, promotions or new offers, not receiving better products or services which are relevant to the customers’ needs, or not receiving information that is beneficial to the customers, etc. Therefore, for benefits of the customers, the customers shall consider or inquire on the effects before withdrawing the consents.
5. Disclosing personal data to third parties
The Company may disclose customers’ personal data to third parties only for necessity to process data as per the duties and responsibilities stated in the contracts or by laws or by the consents of the customers. The Company may disclose customers’ personal data to third parties as follows:
(1) Representatives and contractors or service providers who are third parties in order for such persons and/or juristic persons to provide services to the Company and customers such as financial business groups, financial institutions, partners, business alliances co-providing the products, persons who provide debt collections, EDC installations, sales promotions, acquiring banks of the merchants, Cloud Computing service providers, online social media providers, payment gateway service providers, and other third parties that cooperate with the Company to provide financial products and services, etc.
(2) In the case that the customers hold both principal and supplementary cards, or are under joint loans, or there are any guarantees and/or other financial transactions that involve 2 or more persons, the Company may disclose personal data of customers and persons having joint transactions with the customers.
(3) Governing authorities or government authorities such as Bank of Thailand, the Securities and Exchange Commission, National Credit Bureau, Office of the Consumer Protection Board, Fiscal Policy Office, Anti-Money Laundering Office, the Revenue Department, Office of the National Anti-Corruption Commission, Legal Execution Department, Ministry of Justice, Royal Thai Police, any persons that the Company must disclose data as stated in any related laws or regulations, or in any specific cases such as court orders.
(4) Advisors or specialists such as auditors, external/internal auditors, tax consultants, credit rating agencies, travel coordinators for seminars, meeting arrangers, research service companies, etc.
(5) Organizations that the Company holds the membership such as National Credit Bureau, National ITMX Company Limited, Payment Card Network Operators, etc.
(6) In order for the Company to establish rights to claim according to the contracts or the legislations or to defense any legal claims.
(7) The Company may send or transfer customers’ data to foreign countries to comply with the contracts between the Company and other persons or juristic persons for the benefits of customers or for its compliance with the laws. In this regard, the destination countries receiving the data shall provide appropriate security measures or are considered by the Personal Data Protection Committee to provide adequate personal data protection, or the organizations receiving the data must have been audited and certified by the Personal Data Protection Committee Office to have appropriate personal data protection measures.
(8) Insurance companies, insurance agents/brokers, including Thai Life Insurance PCL, Prudential Life Assurance (Thailand) PCL, AIA PCL, Cigna Insurance PCL, Dhipaya Insurance PCL, Chubb Insurance PCL, Krungthai Panich Insurance PCL, Allianz Ayudhya Assurance PCL, Hugs Insurance PCL, and any other insurance companies, insurance agents/brokers that the Company shall notify in the future.
7. Customers’ rights on their personal data
Customers have the rights on their personal data and can exercise the rights under the provisions of the existing laws and notifications, or any future amendments as follows:
(1) Right to be informed - Customers shall be informed on their personal data processing, methods of collections, persons receiving the data, objectives and durations of personal data retentions.
(2) Right to access – Customers can request for the copy of their personal data under the Company’s possession and examine whether the Company has legally processed such data.
(3) Right to data portability – The Company has provided personal data in the format that is readable or commonly used by ways of automatic tools or equipment and can be processed by automated means. Customers may request the Company to send or transfer the personal data to third parties by automated means or request to directly obtain the personal data that the Company sends or transfers to third parties, unless it cannot be fulfilled due to technical conditions.
(4) Right to object personal data processing – Customers can object the processing of their personal data by the Company.
(5) Right to erase or destroy, or anonymize the personal data – Customers can request for their personal data to be erased or destroyed or anonymized to become anonymous data which unable to identify the data subject.
(6) Right to restrict personal data processing – Customers can request to restrict personal data processing while the Company is pending examination process as per customers’ request to rectify personal data or while the Company is pending verification or pending examination as per customers’ request for the right to object.
(7) Right to rectify personal data – Customers can request to rectify data to be correct, complete and up-to-date if customers found that their data is incorrect, incomplete, or outdated.
Customers have the rights to submit their requests to the Company. In some case the Company may reject the exercise of customers’ rights due to the reasons stated below. Customers are entitled to file a complaint to the Personal Data Protection Committee Office in the event that the customers do not agree with the explanations for rejection by the Company. The aforementioned requests submitted by the customers for the exercise of rights must be done in writing or by means as specified by the Company. In this regard, the Company shall, with its best effort, proceed or inform the customers within 30 days or no longer than the duration prescribed by laws. The Company shall comply with the laws pertaining to customers’ rights as the data subject of personal data.
In the case where customers request the Company to delete, destroy, eliminate personal data processing, temporarily suspend, anonymize, or withdraw their consent, those may constitute the limitation for the Company to process transactions or provide services to the customers. In addition, the Company reserves the right to charge any relevant and necessary expenses in processing personal data as per the customers’ requests.
8. Retention period of personal data
According to the principle of necessity in retaining personal data, the Company shall retain customers’ personal data for the period necessary to fulfil the objectives of data collection as prescribed by laws as follows:
(1) Customers’ personal data shall be retained throughout the period that the customers are the members of financial products and no more than 10 years after the cessation date of the membership.
(2) In the case that the membership of financial products is not approved, the Company shall retain personal data or any data of the customers who did not receive the approvals for no more than 1 year from the date of rejection.
(3) After the retention period, the Company shall delete of anonymize the personal data.
9. Methods that the Company uses to protect customers’ personal data
The Company provides personal data protection as per “Standard for Information Security Management Systems (ISO/IEC 27001:2013)” and “Standard for Privacy Information Management (ISO/IEC 27701:2019)”.
10. Amendment of personal data protection policy
The Company may review this Customers’ Personal Data Protection Notice. If there is any change, the Company shall notify on its website https://www.ktc.co.th/pdpaand via channels that will be notified as appropriate
11. How to contact the Company
In the case where customers wish to exercise the rights, or withdraw the consents for personal data processing, or have inquiries on the Company’s data processing, customers can contact the Company at:
Member Service Center: Tel 02 123 5000
Address: Krungthai Card Public Company Limited, No. 591, UBC II Building, 14 Floor, Sukhumvit 33 Road, North Klongton, Wattana, Bangkok 10110 Thailand
E-mail Address of Personal Data Protection Officer: DataProtectionOfficer@ktc.co.th
In the case where customers consider that the personal data processing violates Personal Data Protection Act, B.E. 2562, the customers have the right to file a complaint to the Personal Data Protection Committee Office.
This Notice shall be effective from the date of 10th November 2022 onwards.